The United States Federal Trade Commission and the New York State Attorney General — who together brought the case against Google — now require YouTube to obtain consent from parents before collecting or sharing personal information. In addition, creators of child-directed content must self-identify to restrict the delivery of targeted ads.
The $170 million fine is a pittance given Alphabet Inc.’s (Google’s holding company) valuation of more than US$700 billion.
Our digital identities comprise data collected across our activities, making personal or identifying information irrelevant. Children today are subjugated to a scale of data collection and targeting that we cannot fathom. Right now, we also have no clue about the consequences, and regulatory protections to data-proof their futures are far from certain.
My ongoing research on how big tech and media conglomerates are using dark pattern design to bypass privacy regulations protecting personal information has revealed how vulnerable children are to data collection and how Canada’s legislation in particular is failing them.
Incomprehensible scale
For adults and children, Google has access to everything from search queries to online purchases to any app and website associated with gmail accounts – including deleted accounts – or linked via cross-browser finger-printing.
As a parent, you create a network of cross-connections when you input information to make purchases for your child online or set up accounts for your child on apps and websites. Added to this is all your child’s activity on YouTube and YouTube Kids, search data to clicks on recommended videos to rewinds and duration of play time.
We are talking about vast fields of data, the scale of which is difficult to comprehend; this data is used to feed Google’s artificial intelligence recommendation algorithms that now steer everything from employment application processes to dating apps…’
I spoke today before the City of Toronto Executive Committee on the update to Quayside, and the proposed Master Innovation and Development Plan from Sidewalk Toronto. The full text of my statement on the question of “Can We Trust Alphabet & Sidewalk Toronto with Children’s Data?” is below, though my public deputation was slightly shorter. You can watch my deputation here, starting at 2:55:38. The text is below:
Deputation to City of Toronto Executive Council
Good afternoon and thank you for the opportunity to speak before you today. What I will speak to is a small segment of a larger academic study examining how big tech and entertainment conglomerates are handing children’s data and my paper on Big Data, Disney, and the Future of Children’s Entertainment was published yesterday.
To clarify – to speak to Councillor Fletcher’s question, in Canada and the US children under 13 are deemed to be minors, and cannot give consent, hence terms of use requiring parental consent on most websites. In the EU, with the enforcing of the General Data Protection Regulation (GDPR) in May 2018, all but two countries raised the age of consent to 16. the Office of the Privacy Commissioner of Canada (OPC) recognizes children as vulnerable and deserving of special considerations: they cannot make informed decisions as to what they are agreeing to. We do not have adequate legislation in Canada to regulate today’s data collection practices, generating pseudonymized consumer profiles via cross-browser fingerprinting and other methods.
Do you see children in this illustration from Sidewalk Labs? I do.
My findings on Alphabet’s subsidiary companies are alarming, well-documented internationally, and raise serious questions as to whether we can trust a big tech company to self-regulate. Alphabet’s subsidiary companies, Google, YouTube, and Google Play, have an established pattern of violating children’s data privacy due to variously:
Broadly, an (over) reliance on AI to serve ads and content recommendations;
a lack of human oversight on app developer practices in the Google Play store;
an overreach as to data collection of minors and teens via Google Chromebooks introduced in American schools in 2017 whereby account holders had to opt-out of data collection.
Let me detail two instances further:
A 2018 academic study, “Won’t Somebody Think of the Children?: Examining COPPA Compliance at Scale,” published in the Proceedings on Privacy Enhancing Technologies, found that “thousands of Android apps potentially violated the Children’s Online Privacy Protection Act or COPPA in the US. “The study examined “5,885 child-directed Android apps from the US Play Store, which are included in Google’s Designed for Families programme, and found that “Overall, roughly 57% of the 5,855 child-directed apps that we analysed are potentially violating Coppa.” A complaint from the Campaign for a Commercial Free Childhood to the FTC in the US expanded on how the Google Play Store apps were marketing to children and in turn, violating children’s privacy.
The consistent documented pattern across Alphabet’s companies is a failure to enforce secure data privacy for children under 13 until an external organization calls attention to violations. Why is this important for Quayside? Sidewalk Labs is a sister company to three of Alphabet’s subsidiaries, all of whom have failed to meet compliance requirements (more than once) with repeated international outcry, so there is no basis to expect that Sidewalk TO will be any more reliable as to protecting or respecting the privacy of minors.
As John Thackera stated, Trust is not an algorithm. So, can we trust companies who trust in algorithms? Based on existing documentation, we should not assume we can trust Alphabet’s Sidewalk Toronto to consistently respect the data privacy of our most vulnerable citizens, as sister companies have not in the past. Currently, so called “urban data” gathered in public spaces will scoop the data of minors and treat it as adult data, unless protections are clearly designed and executed. Clarity as to how we can ensure the consistent protection of the data privacy of children and youth must be central to our discussions of technology globally and to Justin Trudeau’s proposedDigital Charter in Canada. It behooves us to be very circumspect as to trusting Alphabet’s Sidewalk Toronto with our children’s data.
Note: The New York Times published a report, “On YouTube’s Digital Playground, an Open Gate for Pedophiles,” on Monday June 3, 2019, that AGAIN, YouTube’s algorithms are pushing child-created content to pedophiles, resulting in mass *swarm* activity in views and on the comments. The instances I referred to were from 2017 and February 2019.
The material here is a small fraction of a larger research inquiry into how major tech platforms and media conglomerates are / are not adhering to children’s privacy regulations. Primarily, COPPA in the US, Office of the Privacy Commissioner guidelines in Canada, then relevant legislation and activities in Europe pre & post GDPR, and activities in Mexico & India.
Given PM Trudeau’s commitment to a Digital Charter in Canada to halt hate speech on social media and online platforms, children’s data privacy should be at the forefront of this discussion.
From my essay:
“The devices that we use have unique identifiers. With cross-browser fingerprinting, the data we generate as users isn’t as anonymized as we believe it is. The tracking of our online activity is extensive, comprehensive and persistent, and generates marketable data shadowsthat do not need our personal information in order to target us as consumers.
This should be a significant concern regarding today’s children and youth, who have extremely detailed data profiles that they will carry into adulthood, creating what Google’s Eric Schmidt termed an “indelible record.”
What is key to note here is that these instances of alleged violations of children’s privacy have occurred in the private realm, where regulations exist as to how this data should be handled. As smart city projects like Sidewalk Toronto’s Quayside project grow in profile and popularity, they have yet to identify what will happen to data generated in public by minors. Because Sidewalk Toronto may set precedents shaping future smart city planning, children’s privacy in the private and public spheres should be recognized as a national issue.
Sidewalk Toronto is a subsidiary of Alphabet Inc., Google’s parent company, with several concerning precedents regarding tracking and collecting the data of minors. The findings reported here are an extension of a longer paper as to how tech and media giants are observation privacy needs of minors. “Data Science, Disney, and The Future of Children’s Entertainment” will be published in The Palgrave Handbook of Children’s Film and Television (July 2019).
Minors can’t consent
Children today face unique challenges because they will be targeted by business intelligence, and shaped by this targeting to a degree that we cannot fathom. There are legal protections for minors under 13 as stated by the Office of the Privacy Commissioner of Canada (OPC) and Children’s Online Privacy Protection Rule (COPPA) in the United States. Children and youth are recognized as vulnerable and deserving of special considerations: they cannot make informed decisions as to what they are agreeing to. This makes the data tracking and mining of children under 13 a federal issue….”
